Thanks Quanah for your reply: Yes, it looks like im having the wrong
idea:
I 'just' need to check if a user have an entry at the People group
(where the password is), and *also* if that user belongs to the
MailUsers group (which contains the users able to use the mail system).
BTW, im just playing with ldapsearch now, but this is intented to be a
validation filter for a Zimbra instalation.

Then I think I would expect a filter of something like:

(&(uid=gherzig)(memberOf=cn=MailUsers,ou=groups,o=Work)) with a base of
"ou=people,o=work"

I.e., it would validate that there is an entry with uid "gherzig" in the
person tree, and that the entry is a memberof the cn=mailusers group.